20.8.2 Setting and Displaying ACLs

To add or modify the ACL rules for file, use the setfacl command:

# setfacl -m rules file ...

The rules take the following forms:

[d:]u:user[:permissions]

Sets the access ACL for the user specified by name or user ID. The permissions apply to the owner if a user is not specified.

[d:]g:group[:permissions]

Sets the access ACL for a group specified by name or group ID. The permissions apply to the owning group if a group is not specified.

[d:]m[:][:permissions]

Sets the effective rights mask, which is the union of all permissions of the owning group and all of the user and group entries.

[d:]o[:][:permissions]

Sets the access ACL for other (everyone else to whom no other rule applies).

The permissions are r, w, and x for read, write, and execute as used with chmod.

The d: prefix is used to apply the rule to the default ACL for a directory.

To display a file's ACL, use the getfacl command, for example:

# getfacl foofile
# file: foofile
# owner: bob
# group: bob
user::rw-
user::fiona:r--
user::jack:rw-
user::jill:rw-
group::r--
mask::r--
other::r--

If extended ACLs are active on a file, the -l option to ls displays a plus sign (+) after the permissions, for example:

# ls -l foofile
-rw-r--r--+ 1 bob bob  105322 Apr 11 11:02 foofile

The following are examples of how to set and display ACLs for directories and files.

Grant read access to a file or directory by a user.

# setfacl -m u:user:r file

Display the name, owner, group, and ACL for a file or directory.

# getfacl file

Remove write access to a file for all groups and users by modifying the effective rights mask rather than the ACL.

# setfacl -m m::rx file

The -x option removes rules for a user or group.

Remove the rules for a user from the ACL of a file.

# setfacl -x u:user file

Remove the rules for a group from the ACL of a file.

# setfacl -x g:group file

The -b option removes all extended ACL entries from a file or directory.

# setfacl -b file

Copy the ACL of file f1 to file f2.

# getfacl f1 | setfacl --set-file=- f2

Set a default ACL of read and execute access for other on a directory:

# setfacl -m d:o:rx directory

Promote the ACL settings of a directory to default ACL settings that can be inherited.

# getfacl --access directory | setfacl -d -M- directory

The -k option removes the default ACL from a directory.

# setfacl -k directory

For more information, see the acl(5), setfacl(1), and getfacl(1) manual pages.